fixed

middleware/jwt.go

@@ -4,6 +4,7 @@ package middleware
 import (
 	"context"
 	"database/sql"
+	"encoding/pem"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -155,10 +156,22 @@ func isSessionBlacklisted(sessionID string) bool {
 
 func parseToken(tokenString, secretKey string) (*jwt.Token, error) {
 	return jwt.ParseWithClaims(tokenString, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+		if token.Method != jwt.SigningMethodRS256 {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
-		return []byte(secretKey), nil
+		publicKeyPEM := os.Getenv("JWT_PUBLIC_KEY")
+		if publicKeyPEM == "" {
+			return nil, fmt.Errorf("JWT public key not set")
+		}
+		block, _ := pem.Decode([]byte(publicKeyPEM))
+		if block == nil {
+			return nil, fmt.Errorf("failed to decode PEM block")
+		}
+		pubKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKeyPEM))
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse RSA public key")
+		}
+		return pubKey, nil
 	})
 }